US20140283057A1 - Tcp validation via systematic transmission regulation and regeneration - Google Patents
Tcp validation via systematic transmission regulation and regeneration Download PDFInfo
- Publication number
- US20140283057A1 US20140283057A1 US13/838,274 US201313838274A US2014283057A1 US 20140283057 A1 US20140283057 A1 US 20140283057A1 US 201313838274 A US201313838274 A US 201313838274A US 2014283057 A1 US2014283057 A1 US 2014283057A1
- Authority
- US
- United States
- Prior art keywords
- tcp packet
- intercepted
- session state
- packet
- intercepted tcp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/32—Flooding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0254—Stateful filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Definitions
- the invention relates generally to data network communications and more particularly to a technique for validating transmission control protocol (TCP) communication between a client requesting resources and a server providing requested resources to protect the specified server from a distributed denial of service (DDoS) attack.
- TCP transmission control protocol
- DDoS distributed denial of service
- an initial packet with a TCP bit flag SYN is generated from a client to a server.
- a plurality of intermediary routing and switching devices assure the delivery of the data packet from the client to the server, and vice versa.
- the server generates a response packet with the TCP bit flags SYN and ACK set.
- the client responds with a TCP ACK packet, establishing a completed TCP session.
- the server Upon generation of the initial TCP SYN packet from the client, the server reserves and allocates a predetermined quantity of system resources, including processor, ram, and/or disk for the facilitation of this connection.
- the server maintains these resources for a predetermined period of time often as long as several minutes.
- an attacker can take advantage of this situation by generating a large quantity of SYN packets to the server, exhausting all system resources. The server will then become unresponsive to legitimate client requests, thus denying service to legitimate clients. This is one embodiment of a “denial of service” attack.
- prior art systems “detect” denial of service conditions, but fail to actually mitigate this undesirable situation.
- Rooney Rooney et al.
- the packet metric parameter which might comprise the volume of packets received is analyzed over selected time intervals with respect to specified geographical locations in which the hosts transmitting the packets are located.
- the expected behavior can be employed to identify traffic distortions revealing a DDoS attack.
- a drawback of Rooney is that it is unable to prevent a “syn flood” attack as no single packet will meet the thresholds set.
- TCP transmission control protocol
- an initiating connection is performed by a TCP packet with the SYN bit flag set.
- the client retransmits further SYN packets.
- the client depending on the operating system configuration, can transmit several SYN packets.
- the client is validated with a high degree of certainty to be legitimate.
- the present invention will know, with a high degree of certainty, that the requesting client is illegitimate and can be blocked.
- the present invention solves the problem of a denial of service condition by validating the legitimate authenticity of connections, and is extremely simple to implement in a software system on an apparatus in a network environment.
- the apparatus can achieve high performance with relative ease of implementation.
- the software system can also be replicated into a global network utilizing a state session sharing mechanism.
- a method for validating transmission control protocol (TCP) packets during a communications session comprises the steps of: intercepting a TCP packet; checking a hash table to determine if a hash entry exists for the intercepted TCP packet, if no hash entry exists in the hash table for the intercepted TCP packet then generating a hash entry for the intercepted TCP packet by hashing a source IP address, a source port, a destination IP address, and a destination port associated with the intercepted TCP packet, and storing a session state associated with the intercepted TCP packet in the hash table as NONE, if a hash entry exists in the hash table for the intercepted TCP packet then retrieving the session state associated with the intercepted TCP packet; determining if the session state is designated as blacklisted, if the session state is designated as blacklisted then discarding the intercepted TCP packet, if the session state is not designated as blacklisted then identifying a TCP packet flag associated with
- An advantage of the present invention is its simplicity of implementation. As the present invention does not necessitate the interception of egress traffic, it can be implemented with relative ease. Network asymmetric is no longer a problem because of this.
- Another advantage is that it provides a very high level of security against invalid client connections. In testing, a significant portion of attacks utilize methods, procedures, patterns, and fingerprints that are thwarted by the present invention.
- Another advantage of the present invention is the versatility of the hash function. Utilizing different hash functions, different advantages based on the advantages the different hash functions provide. Some hash functions provide advantages for disparate sets, while others provide advantages for similar sets. The purpose of the hash function can dictate the application of the present invention.
- Another advantage is that the memory footprint required by the present invention is fairly low as not much information is stored on each state session.
- the total state session information saved is 32 bits for source address, 32 bits for destination address, 16 bits for source port address, 16 bits for destination port address, 8 bits for a state identifier, and 8 bits for a SYN counter.
- FIG. 1 illustrates a communication system according to an embodiment of the invention
- FIG. 2 illustrates a TCP validation method according to an embodiment of the invention
- FIG. 3 illustrates a TCP validation method according to another embodiment of the invention.
- FIGS. 1-3 wherein like reference numerals refer to like elements.
- the present invention may be implemented as software residing and executing on one or more computers, i.e., apparatuses.
- the apparatus or set of apparatuses receive network traffic and generate control messages to dictate the flow of particular traffic.
- the network traffic that is passed through an apparatus consists of all network traffic that is desired to be securely managed. This can include network all network traffic or a particular subset off network traffic such as network traffic destined to a particular subsection of the network. Network traffic can originate in any point of presence that the service provider or content provider resides.
- the apparatus itself also controls the flow of traffic to limit, restrict, or allow such traffic communication based on the control logic described herein.
- FIG. 1 illustrates a communication system according to an embodiment of the invention.
- the communication system comprises a client 101 , an apparatus 102 implementing logic as described herein, a router 103 , and a server 104 .
- client 101 , router 103 , and server 104 are readily apparent to one of ordinary skill in the art.
- FIG. 2 illustrates a TCP validation method according to an embodiment of the invention.
- a packet originates and is intercepted by apparatus 102 at step 200 .
- the packet originates from client 101 , which transmits a TCP SYN packet 105 to server 104 , intercepted by apparatus 102 .
- a session state is either conceived for the packet and inserted into a hash table, or is retrieved from the existing state session in the hash table.
- This session state is based on a hash entry for the source IP address, source port, destination IP address, and destination port of the packet.
- the session state determines the current state of the session and can be of type “OPEN1”, “OPEN2”, “EST”, or “BLACKLIST”.
- the apparatus 102 ignores further processing on the packet at step 202 .
- This hash can be accessed again at any point to retrieve data regarding the session.
- An applicable and configurable timeout is applied to this session in step 201 based on the environmental needs and requirements this methodology or apparatus is deployed in, often about 24 hours, at which point if communication has not taken place for specified time, the session is expired to free up memory resources.
- This session timeout functionality can be implemented at step 201 where the system checks for the existence of the packet in an existing session. If the timeout period has expired, the function would not return an existing hash entry.
- the hash algorithm usable for this invention is any type of available hash algorithm, the identification and implementation of which is apparent to one of ordinary skill in the art.
- Example hash algorithms can be found at en.wikipedia.org/wiki/Hash_function.
- a usable hash function is ‘perfect hashing’.
- the hashing function needs to be able to locate a record with certainty.
- the hashing function needs to support the hash table identifiers source IP, source port, destination IP, and destination port.
- the hash function needs to support an additional field to maintain timeout.
- Apparatus 102 processes the packet at steps 200 , 201 , and 202 . If the state of the session is Other 206 , and if the SYN count is equal to one at step 207 , apparatus 102 sets state to “OPEN1” and ignores any further processing on the packet 215 . If the state of the session is Other 206 and if SYN count is equal to 2 or 3 at step 209 , the state is set to OPEN2 and the packet is replicated to the end server 104 via SYN commands 106 and 107 . If the SYN count is greater than 3 at step 208 , the state is set to blacklist and further processing is ignored.
- the server 104 responds with a TCP SYNACK packet 108 to the client 101 .
- the client 101 transmits a TCP ACK packet 109 that is intercepted by apparatus 102 .
- apparatus 102 processes the packet type. If the packet is not a SYN packet, the apparatus 102 determines the state at step 205 . If the packet is of state NONE or OPEN1 210 , the packet is ignored. If the packet is of state EST or OPEN2 211 , the apparatus 102 sets state to EST and replicates the packet at packets 109 , 110 , and 212 . No further processing is necessary at this point as necessary TCP packets have been replicated for effective communication. This design encompasses all TCP packets.
- apparatus 102 resides on a network, capable of receiving and transmitting network communication traffic, while this device, or another device, prevents the standard flow of this communication traffic between the client 101 and the server 104 .
- apparatus 102 serves as a transparent device manipulating the migration of data packets from one portion of a network to another in the interest of providing network security for a plurality of systems on said network.
- apparatus 102 is replicated into a multi-location mitigation system such as a global mitigation system.
- a multi-location mitigation system such as a global mitigation system.
- Each node performs the necessary functionality to provide protection to a large subset of end servers.
- apparatus 102 is a module on a computer system that performs these tasks to mitigate attempted denial of service against that single computer system to protect its resources.
- a spoofed attack is an Internet flood where a plurality of systems generate an attack wherein the source IP address of the attack is malformed such that the address does not belong to the specific system generating the attack.
- a system can generate spoofed packets at a high data rate as the response to the generated packets do not reach the system. This is because the source IP addresses that the attacking system is utilizing for the attack do not belong to it.
- the responses, as generated by the remote systems arrive at other systems across the Internet. This behavior is prevalent in many attacks currently taking place on the Internet. Many intermediary network devices managed by network operators do not inhibit this form of traffic.
- a socket is created based on some identifying information, often utilizing the source IP address, source port, destination IP address, and destination port. This socket is unique to the connection with these identifying characteristics, or other similar identifying characteristics.
- a socket utilizes system resources such as memory and processing power.
- a plurality of systems transmit, at a sufficient data rate, transmit TCP SYN packets with spoofed source IP addresses against a target remote server, often with the intent to create a denial of service condition.
- the remote system receives these SYN packets, it opens a socket by allocating memory and resources to accept the packet, and attempts to respond to them with a TCP SYNACK to proceed with TCP 3 way handshake.
- the remote system does not time these sockets out for some predetermined time based on the operating system and the administrative settings, often about 30 seconds.
- the system generating the attacks does not see the TCP SYNACK response. It simply continues sending TCP SYN packets to the remote server until the remote server is incapable of processing additional TCP SYN packets as all its resources have been exhausted.
- this methodology prevents this condition by blocking the first TCP SYN packet.
- this first TCP SYN packet is blocked, because all further packets are different, the attack no longer impacts the receiving system because the receiving system never sees these TCP SYN packets. The attack has been mitigated.
- TCP SYN flood a plurality of systems transmit, at a sufficient data rate, TCP SYN packets against a target remote server, often with the intent to create a denial of service condition.
- the source IP addresses of these systems are their real IP addresses.
- the total capacity of the attack is directly correlated with the number of systems under the control of the attacker.
- this methodology prevents this condition by blocking the first TCP SYN packet, fourth TCP packet, and consecutive TCP packets after that.
- the methodology sets the session state for these packets to OPEN1, then replicates these packets to the end system.
- the end system responds with a TCP SYNACK to the attacking system.
- the attacking system ignores these as it is not actually intending to open a TCP connection with the target system. It continues sending TCP SYN packets, at which point the methodology sets the state to BLACKLIST because the SYN count exceeds 3. Once in blacklist, no further processing is performed on any other received TCP SYN packets. The attack has been mitigated.
- FIG. 3 illustrates a TCP validation method according to another embodiment of the invention.
- the difference in this environment begins at steps 201 ( d ), 201 ( e ) and 201 ( f ).
- the system upon detection of an egress packet sets the state to EST. If an egress packet is not detected, the state is never set to EST and communication does not continue.
- we check for state and if the state is EST 211 , we replicate the packet. By doing this, the apparatus makes sure that the server wants to communicate with the client. If the server has some local security policy to reject the client, this apparatus or methodology will honor this by virtue of design and not validate the client.
- An advantage of the embodiment of FIG. 3 is that monitors egress traffic from the server 104 so as to verify that the server is in fact validating the connection.
Abstract
The present invention provides a technique for validating TCP communication between a client requesting resources and a server providing requested resources to protect the specified server from a denial of service attack wherein a plurality of clients initiate communication with a server, but do not complete the communication for the purpose of denying service to the server from other legitimate clients. Through systematic transmission regulation of TCP packets, an intermediary apparatus or set of apparatuses, can, to a high degree of certainty, validate client connections to protect the server from this saturated condition. The communication is then reproduced by the apparatus or apparatuses.
Description
- 1. Field of Invention
- The invention relates generally to data network communications and more particularly to a technique for validating transmission control protocol (TCP) communication between a client requesting resources and a server providing requested resources to protect the specified server from a distributed denial of service (DDoS) attack.
- 2. Description of Related Art
- In a traditional TCP 3-way handshake, the implementation of which is apparent to one of ordinary skill in the art, an initial packet with a TCP bit flag SYN is generated from a client to a server. A plurality of intermediary routing and switching devices assure the delivery of the data packet from the client to the server, and vice versa. The server generates a response packet with the TCP bit flags SYN and ACK set. The client then responds with a TCP ACK packet, establishing a completed TCP session.
- Upon generation of the initial TCP SYN packet from the client, the server reserves and allocates a predetermined quantity of system resources, including processor, ram, and/or disk for the facilitation of this connection. The server maintains these resources for a predetermined period of time often as long as several minutes. As computer systems have limited resources, an attacker can take advantage of this situation by generating a large quantity of SYN packets to the server, exhausting all system resources. The server will then become unresponsive to legitimate client requests, thus denying service to legitimate clients. This is one embodiment of a “denial of service” attack. Generally, prior art systems “detect” denial of service conditions, but fail to actually mitigate this undesirable situation.
- United States Patent Application Publication No. 2003/0226032 to Robert, the disclosure of which is incorporated by reference herein in its entirety, describes a mechanism for detecting denial of service attacks. A probabilistically determined portion of input packets of a connection are processed using a hash function to determine whether the packets belong to the flow initiated by a TCP SYN packet. A drawback of Robert is that it is dependent on the server handling traffic in advance of the flow detection. Once the server has been overloaded, the denial of service condition has been met.
- U.S. Pat. No. 7,921,462 to Rooney et al. (“Rooney”), the disclosure of which is incorporated by reference herein in its entirety, describes a technique for detecting DDoS attacks within the Internet by sampling packets at a point or points in Internet backbone connections to determine a packet metric parameter. The packet metric parameter which might comprise the volume of packets received is analyzed over selected time intervals with respect to specified geographical locations in which the hosts transmitting the packets are located. The expected behavior can be employed to identify traffic distortions revealing a DDoS attack. A drawback of Rooney is that it is unable to prevent a “syn flood” attack as no single packet will meet the thresholds set.
- United States Patent Application Publication No. 2002/0120853 to Tyree, the disclosure of which is incorporated by reference herein in its entirety, describes scripted distributed denial-of-service (DDoS) attack discrimination using turing, i.e., intelligence, tests. A drawback of Tyree is that it cannot be automatically implemented on systems where background communication is necessary, such as simple mail transport protocol (SMTP), and is not plausible in today's Internet topology. Moreover, turing tests are cumbersome for users.
- United States Patent Application Publication No. 2004/0008681 to Govindaraj an et al. (“Govindaraj an”), the disclosure of which is incorporated by reference herein in its entirety, describes a technique for delaying allocation of resources until after the TCP three-way handshake is successfully completed. A drawback of Govindarajan is that implementation in an apparatus is complicated and performance scalability is difficult to achieve in asymmetric networks.
- United States Patent Application Publication No. 2002/0103916 to Chen et al. (“Chen”), the disclosure of which is incorporated by reference herein in its entirety, describes architecture for thwarting denial of service attacks on a victim data center. The system includes a first plurality of monitors that monitor network traffic flow through the network. A central controller receives data from the plurality of monitors, over a hardened, redundant network. A drawback of Chen is that it cannot protect against “spoofed” attacks.
- The present invention overcomes these and other deficiencies of the prior art by utilizing a simplistic approach that takes advantage of the inherent design philosophy of transmission control protocol (TCP). In TCP communication, an initiating connection is performed by a TCP packet with the SYN bit flag set. When the initial SYN packet is ignored by the receiving server, the client retransmits further SYN packets. The client, depending on the operating system configuration, can transmit several SYN packets. By blocking the transmission of this packet at an intermediary apparatus, storing the information, and awaiting for a second or third TCP SYN packet, the client is validated with a high degree of certainty to be legitimate. Conversely, if too many TCP SYN packets are received by the client or intermediary apparatus, the present invention will know, with a high degree of certainty, that the requesting client is illegitimate and can be blocked.
- The present invention solves the problem of a denial of service condition by validating the legitimate authenticity of connections, and is extremely simple to implement in a software system on an apparatus in a network environment. Thus, the apparatus can achieve high performance with relative ease of implementation. The software system can also be replicated into a global network utilizing a state session sharing mechanism.
- In an embodiment of the invention, a method for validating transmission control protocol (TCP) packets during a communications session comprises the steps of: intercepting a TCP packet; checking a hash table to determine if a hash entry exists for the intercepted TCP packet, if no hash entry exists in the hash table for the intercepted TCP packet then generating a hash entry for the intercepted TCP packet by hashing a source IP address, a source port, a destination IP address, and a destination port associated with the intercepted TCP packet, and storing a session state associated with the intercepted TCP packet in the hash table as NONE, if a hash entry exists in the hash table for the intercepted TCP packet then retrieving the session state associated with the intercepted TCP packet; determining if the session state is designated as blacklisted, if the session state is designated as blacklisted then discarding the intercepted TCP packet, if the session state is not designated as blacklisted then identifying a TCP packet flag associated with the intercepted TCP packet, if the TCP packet flag is identified as SYN then determining if the session state is designated as established, if the session state is designated as established then replicating the intercepted TCP packet and forwarding the replicated intercepted TCP packet to a server, if the session state is not designated as established then determining a SYN count associated with the intercepted TCP packet, if the determined SYN count is equal to one then storing the session state associated with the intercepted TCP packet in the hash table as OPEN1 and discarding the intercepted TCP packet, if the determined SYN count is equal to two or three then storing the session state associated with the intercepted TCP packet in the hash table as OPEN2 and replicating the intercepted TCP packet and forwarding the replicated intercepted TCP packet to a server, if the determined SYN count is equal to three or more then storing the session state associated with the intercepted TCP packet in the hash table as blacklisted and discarding the intercepted TCP packet, if the TCP packet flag is not identified as SYN then determining if the session state is designated as established, OPEN1, OPEN2, or NONE, if the determined session state associated with the intercepted TCP packet is NONE or OPEN1 then discarding the intercepted TCP packet, if the determined session state associated with the intercepted TCP packet is established or OPEN2 then replicating the intercepted TCP packet and forwarding the replicated intercepted TCP packet to a server. The method further comprising applying a predetermined timeout to the communications session, wherein if communication has not taken place during the predetermined timeout, the session is expired.
- An advantage of the present invention is its simplicity of implementation. As the present invention does not necessitate the interception of egress traffic, it can be implemented with relative ease. Network asymmetric is no longer a problem because of this.
- Another advantage is that it provides a very high level of security against invalid client connections. In testing, a significant portion of attacks utilize methods, procedures, patterns, and fingerprints that are thwarted by the present invention.
- Another advantage of the present invention is the versatility of the hash function. Utilizing different hash functions, different advantages based on the advantages the different hash functions provide. Some hash functions provide advantages for disparate sets, while others provide advantages for similar sets. The purpose of the hash function can dictate the application of the present invention.
- Another advantage is that the memory footprint required by the present invention is fairly low as not much information is stored on each state session. The total state session information saved is 32 bits for source address, 32 bits for destination address, 16 bits for source port address, 16 bits for destination port address, 8 bits for a state identifier, and 8 bits for a SYN counter.
- The foregoing, and other features and advantages of the invention, will be apparent from the following, more particular description of the preferred embodiments of the invention, the accompanying drawings, and the claims.
- For a more complete understanding of the present invention, and the advantages thereof, reference is now made to the ensuing descriptions taken in connection with the accompanying drawings briefly described as follows:
-
FIG. 1 illustrates a communication system according to an embodiment of the invention; -
FIG. 2 illustrates a TCP validation method according to an embodiment of the invention; and -
FIG. 3 illustrates a TCP validation method according to another embodiment of the invention. - Further features and advantages of the invention, as well as the structure and operation of various embodiments of the invention, are described in detail below with reference to the accompanying
FIGS. 1-3 , wherein like reference numerals refer to like elements. - The present invention may be implemented as software residing and executing on one or more computers, i.e., apparatuses. The apparatus or set of apparatuses receive network traffic and generate control messages to dictate the flow of particular traffic. The network traffic that is passed through an apparatus consists of all network traffic that is desired to be securely managed. This can include network all network traffic or a particular subset off network traffic such as network traffic destined to a particular subsection of the network. Network traffic can originate in any point of presence that the service provider or content provider resides. The apparatus itself also controls the flow of traffic to limit, restrict, or allow such traffic communication based on the control logic described herein.
-
FIG. 1 illustrates a communication system according to an embodiment of the invention. The communication system comprises aclient 101, anapparatus 102 implementing logic as described herein, arouter 103, and aserver 104. The implementation ofclient 101,router 103, andserver 104 is readily apparent to one of ordinary skill in the art. -
FIG. 2 illustrates a TCP validation method according to an embodiment of the invention. In operation, a packet originates and is intercepted byapparatus 102 atstep 200. The packet originates fromclient 101, which transmits aTCP SYN packet 105 toserver 104, intercepted byapparatus 102. Atstep 201, a session state is either conceived for the packet and inserted into a hash table, or is retrieved from the existing state session in the hash table. This session state is based on a hash entry for the source IP address, source port, destination IP address, and destination port of the packet. The session state determines the current state of the session and can be of type “OPEN1”, “OPEN2”, “EST”, or “BLACKLIST”. If the state of the session is blacklisted, theapparatus 102 ignores further processing on the packet atstep 202. This hash can be accessed again at any point to retrieve data regarding the session. An applicable and configurable timeout is applied to this session instep 201 based on the environmental needs and requirements this methodology or apparatus is deployed in, often about 24 hours, at which point if communication has not taken place for specified time, the session is expired to free up memory resources. This session timeout functionality can be implemented atstep 201 where the system checks for the existence of the packet in an existing session. If the timeout period has expired, the function would not return an existing hash entry. The hash algorithm usable for this invention is any type of available hash algorithm, the identification and implementation of which is apparent to one of ordinary skill in the art. No specific algorithm is necessary for proper functionality. Example hash algorithms can be found at en.wikipedia.org/wiki/Hash_function. A usable hash function is ‘perfect hashing’. The hashing function needs to be able to locate a record with certainty. The hashing function needs to support the hash table identifiers source IP, source port, destination IP, and destination port. The hash function needs to support an additional field to maintain timeout. -
Apparatus 102 processes the packet atsteps step 207,apparatus 102 sets state to “OPEN1” and ignores any further processing on thepacket 215. If the state of the session is Other 206 and if SYN count is equal to 2 or 3 atstep 209, the state is set to OPEN2 and the packet is replicated to theend server 104 via SYN commands 106 and 107. If the SYN count is greater than 3 atstep 208, the state is set to blacklist and further processing is ignored. - The
server 104 responds with aTCP SYNACK packet 108 to theclient 101. Theclient 101 transmits aTCP ACK packet 109 that is intercepted byapparatus 102. If the state is blacklist atstep 202, ignore further processing of the packet. If the state is not blacklist atstep 203,apparatus 102 processes the packet type. If the packet is not a SYN packet, theapparatus 102 determines the state atstep 205. If the packet is of state NONE orOPEN1 210, the packet is ignored. If the packet is of state EST orOPEN2 211, theapparatus 102 sets state to EST and replicates the packet atpackets - In an embodiment of the invention,
apparatus 102 resides on a network, capable of receiving and transmitting network communication traffic, while this device, or another device, prevents the standard flow of this communication traffic between theclient 101 and theserver 104. Thus,apparatus 102 serves as a transparent device manipulating the migration of data packets from one portion of a network to another in the interest of providing network security for a plurality of systems on said network. - In another embodiment of the invention,
apparatus 102 is replicated into a multi-location mitigation system such as a global mitigation system. Each node performs the necessary functionality to provide protection to a large subset of end servers. - In another embodiment of the invention,
apparatus 102 is a module on a computer system that performs these tasks to mitigate attempted denial of service against that single computer system to protect its resources. - A spoofed attack is an Internet flood where a plurality of systems generate an attack wherein the source IP address of the attack is malformed such that the address does not belong to the specific system generating the attack. A system can generate spoofed packets at a high data rate as the response to the generated packets do not reach the system. This is because the source IP addresses that the attacking system is utilizing for the attack do not belong to it. Thus, the responses, as generated by the remote systems arrive at other systems across the Internet. This behavior is prevalent in many attacks currently taking place on the Internet. Many intermediary network devices managed by network operators do not inhibit this form of traffic.
- When a TCP SYN packet is received by a system, a socket is created based on some identifying information, often utilizing the source IP address, source port, destination IP address, and destination port. This socket is unique to the connection with these identifying characteristics, or other similar identifying characteristics. A socket utilizes system resources such as memory and processing power.
- During a spoofed TCP SYN flood, a plurality of systems transmit, at a sufficient data rate, transmit TCP SYN packets with spoofed source IP addresses against a target remote server, often with the intent to create a denial of service condition. When the remote system receives these SYN packets, it opens a socket by allocating memory and resources to accept the packet, and attempts to respond to them with a TCP SYNACK to proceed with
TCP 3 way handshake. The remote system does not time these sockets out for some predetermined time based on the operating system and the administrative settings, often about 30 seconds. The system generating the attacks does not see the TCP SYNACK response. It simply continues sending TCP SYN packets to the remote server until the remote server is incapable of processing additional TCP SYN packets as all its resources have been exhausted. - In
FIG. 2 , this methodology prevents this condition by blocking the first TCP SYN packet. When this first TCP SYN packet is blocked, because all further packets are different, the attack no longer impacts the receiving system because the receiving system never sees these TCP SYN packets. The attack has been mitigated. - During a standard TCP SYN flood, a plurality of systems transmit, at a sufficient data rate, TCP SYN packets against a target remote server, often with the intent to create a denial of service condition. The source IP addresses of these systems are their real IP addresses. Thus, the total capacity of the attack is directly correlated with the number of systems under the control of the attacker.
- In
FIG. 2 , this methodology prevents this condition by blocking the first TCP SYN packet, fourth TCP packet, and consecutive TCP packets after that. When the attacking system generates the second and third TCP SYN packets, the methodology sets the session state for these packets to OPEN1, then replicates these packets to the end system. The end system responds with a TCP SYNACK to the attacking system. The attacking system ignores these as it is not actually intending to open a TCP connection with the target system. It continues sending TCP SYN packets, at which point the methodology sets the state to BLACKLIST because the SYN count exceeds 3. Once in blacklist, no further processing is performed on any other received TCP SYN packets. The attack has been mitigated. -
FIG. 3 illustrates a TCP validation method according to another embodiment of the invention. The difference in this environment begins at steps 201(d), 201(e) and 201(f). The system, upon detection of an egress packet sets the state to EST. If an egress packet is not detected, the state is never set to EST and communication does not continue. As we can see in 205, we check for state, and if the state isEST 211, we replicate the packet. By doing this, the apparatus makes sure that the server wants to communicate with the client. If the server has some local security policy to reject the client, this apparatus or methodology will honor this by virtue of design and not validate the client. - An advantage of the embodiment of
FIG. 3 is that monitors egress traffic from theserver 104 so as to verify that the server is in fact validating the connection. - The invention has been described herein using specific embodiments for the purposes of illustration only. It will be readily apparent to one of ordinary skill in the art, however, that the principles of the invention can be embodied in other ways. Therefore, the invention should not be regarded as being limited in scope to the specific embodiments disclosed herein, but instead as being fully commensurate in scope with the following claims.
Claims (4)
1. A method for validating transmission control protocol (TCP) packets during a communications session, the entire method implemented on a computer processor and comprising the steps of:
intercepting a TCP packet;
checking a hash table to determine if a hash entry exists for the intercepted TCP packet, if no hash entry exists in the hash table for the intercepted TCP packet then
generating a hash entry for the intercepted TCP packet by hashing a source IP address, a source port, a destination IP address, and a destination port associated with the intercepted TCP packet, and
storing a session state associated with the intercepted TCP packet in the hash table as NONE,
if a hash entry exists in the hash table for the intercepted TCP packet then
retrieving the session state associated with the intercepted TCP packet;
determining if the session state is designated as blacklisted, if the session state is designated as blacklisted then discarding the intercepted TCP packet, if the session state is not designated as blacklisted then
identifying a TCP packet flag associated with the intercepted TCP packet, if the TCP packet flag is identified as SYN then
determining if the session state is designated as established, if the session state is designated as established then replicating the intercepted TCP packet and forwarding the replicated intercepted TCP packet to a server, if the session state is not designated as established then
determining a SYN count associated with the intercepted TCP packet, if the determined SYN count is equal to one then storing the session state associated with the intercepted TCP packet in the hash table as OPEN1 and discarding the intercepted TCP packet, if the determined SYN count is equal to two or three then storing the session state associated with the intercepted TCP packet in the hash table as OPEN2 and replicating the intercepted TCP packet and forwarding the replicated intercepted TCP packet to a server, if the determined SYN count is greater than three then storing the session state associated with the intercepted TCP packet in the hash table as blacklisted and discarding the intercepted TCP packet,
if the TCP packet flag is not identified as SYN then
determining if the session state is designated as established, OPEN1, OPEN2, or NONE, if the determined session state associated with the intercepted TCP packet is NONE or OPEN1 then discarding the intercepted TCP packet, if the determined session state associated with the intercepted TCP packet is established or OPEN2 then storing the session state associated with the intercepted TCP packet in the hash table as established and replicating the intercepted TCP packet and forwarding the replicated intercepted TCP packet to a server.
2. The method of claim 1 , wherein the TCP packet is a TCP packet with any TCP bit flag set, such as ACK, RST, FIN, URG, PUSH, or SYN.
3. The method of claim 1 , wherein the session state session state determines the current state of a communications session and can be of type “OPEN1”, “OPEN2”, “EST”, or “BLACKLIST”.
4. The method of claim 1 , further comprising applying a predetermined timeout to the communications session, wherein if communication has not taken place during the predetermined timeout, the session is expired.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/838,274 US8978138B2 (en) | 2013-03-15 | 2013-03-15 | TCP validation via systematic transmission regulation and regeneration |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/838,274 US8978138B2 (en) | 2013-03-15 | 2013-03-15 | TCP validation via systematic transmission regulation and regeneration |
Publications (2)
Publication Number | Publication Date |
---|---|
US20140283057A1 true US20140283057A1 (en) | 2014-09-18 |
US8978138B2 US8978138B2 (en) | 2015-03-10 |
Family
ID=51535107
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/838,274 Active 2033-11-16 US8978138B2 (en) | 2013-03-15 | 2013-03-15 | TCP validation via systematic transmission regulation and regeneration |
Country Status (1)
Country | Link |
---|---|
US (1) | US8978138B2 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160134646A1 (en) * | 2014-11-06 | 2016-05-12 | Cisco Technology, Inc. | Method and apparatus for detecting malicious software using handshake information |
CN108683678A (en) * | 2018-05-28 | 2018-10-19 | 北京天地和兴科技有限公司 | A kind of abnormal behaviour prediction technique of Behavior-based control cooperative awareness model |
EP3361693A4 (en) * | 2015-11-24 | 2018-10-31 | Wangsu Science & Technology Co., Ltd. | Tcp connection processing method, device and system |
CN110138678A (en) * | 2018-02-08 | 2019-08-16 | 华为技术有限公司 | Data transfer control method and device and web-transporting device and storage medium |
KR102015735B1 (en) * | 2018-12-28 | 2019-08-28 | 주식회사 모파스 | Communication method and apparatus of peer for peer to peer(p2p) handshaking control |
US10812525B2 (en) * | 2015-12-30 | 2020-10-20 | NSFOCUS Information Technology Co., Ltd. | Method and system for defending distributed denial of service attack |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9197362B2 (en) * | 2013-03-15 | 2015-11-24 | Mehdi Mahvi | Global state synchronization for securely managed asymmetric network communication |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6104717A (en) * | 1995-11-03 | 2000-08-15 | Cisco Technology, Inc. | System and method for providing backup machines for implementing multiple IP addresses on multiple ports |
US6725378B1 (en) * | 1998-04-15 | 2004-04-20 | Purdue Research Foundation | Network protection for denial of service attacks |
US20070044142A1 (en) * | 2005-08-19 | 2007-02-22 | Yoon Seung Y | Apparatus and method for managing session state |
US7464410B1 (en) * | 2001-08-30 | 2008-12-09 | At&T Corp. | Protection against flooding of a server |
US20120117646A1 (en) * | 2010-11-04 | 2012-05-10 | Electronics And Telecommunications Research Institute | Transmission control protocol flooding attack prevention method and apparatus |
Family Cites Families (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU2001253613A1 (en) | 2000-04-17 | 2001-10-30 | Circadence Corporation | System and method for shifting functionality between multiple web servers |
US7043759B2 (en) | 2000-09-07 | 2006-05-09 | Mazu Networks, Inc. | Architecture to thwart denial of service attacks |
US7398317B2 (en) | 2000-09-07 | 2008-07-08 | Mazu Networks, Inc. | Thwarting connection-based denial of service attacks |
US20020032871A1 (en) | 2000-09-08 | 2002-03-14 | The Regents Of The University Of Michigan | Method and system for detecting, tracking and blocking denial of service attacks over a computer network |
US7707305B2 (en) | 2000-10-17 | 2010-04-27 | Cisco Technology, Inc. | Methods and apparatus for protecting against overload conditions on nodes of a distributed network |
US7301899B2 (en) | 2001-01-31 | 2007-11-27 | Comverse Ltd. | Prevention of bandwidth congestion in a denial of service or other internet-based attack |
US20020120853A1 (en) | 2001-02-27 | 2002-08-29 | Networks Associates Technology, Inc. | Scripted distributed denial-of-service (DDoS) attack discrimination using turing tests |
US7028179B2 (en) | 2001-07-03 | 2006-04-11 | Intel Corporation | Apparatus and method for secure, automated response to distributed denial of service attacks |
US7657934B2 (en) | 2002-01-31 | 2010-02-02 | Riverbed Technology, Inc. | Architecture to thwart denial of service attacks |
US7743415B2 (en) | 2002-01-31 | 2010-06-22 | Riverbed Technology, Inc. | Denial of service attacks characterization |
US7373663B2 (en) | 2002-05-31 | 2008-05-13 | Alcatel Canada Inc. | Secret hashing for TCP SYN/FIN correspondence |
US7519991B2 (en) | 2002-06-19 | 2009-04-14 | Alcatel-Lucent Usa Inc. | Method and apparatus for incrementally deploying ingress filtering on the internet |
US7254133B2 (en) | 2002-07-15 | 2007-08-07 | Intel Corporation | Prevention of denial of service attacks |
CN100370757C (en) | 2004-07-09 | 2008-02-20 | 国际商业机器公司 | Method and system for dentifying a distributed denial of service (DDOS) attack within a network and defending against such an attack |
US7478429B2 (en) | 2004-10-01 | 2009-01-13 | Prolexic Technologies, Inc. | Network overload detection and mitigation system and method |
US8346960B2 (en) | 2005-02-15 | 2013-01-01 | At&T Intellectual Property Ii, L.P. | Systems, methods, and devices for defending a network |
US8089871B2 (en) | 2005-03-25 | 2012-01-03 | At&T Intellectual Property Ii, L.P. | Method and apparatus for traffic control of dynamic denial of service attacks within a communications network |
US7797738B1 (en) | 2005-12-14 | 2010-09-14 | At&T Corp. | System and method for avoiding and mitigating a DDoS attack |
US8225399B1 (en) | 2005-12-14 | 2012-07-17 | At&T Intellectual Property Ii, Lp | System and method for avoiding and mitigating a DDoS attack |
US8370937B2 (en) | 2007-12-03 | 2013-02-05 | Cisco Technology, Inc. | Handling of DDoS attacks from NAT or proxy devices |
CN101588246B (en) | 2008-05-23 | 2012-01-04 | 成都市华为赛门铁克科技有限公司 | Method, network equipment and network system for defending distributed denial service DDoS attack |
KR100908404B1 (en) | 2008-09-04 | 2009-07-20 | (주)이스트소프트 | System and method for protecting from distributed denial of service |
KR20130017333A (en) | 2011-08-10 | 2013-02-20 | 한국전자통신연구원 | Attack decision system of slow distributed denial of service based application layer and method of the same |
-
2013
- 2013-03-15 US US13/838,274 patent/US8978138B2/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6104717A (en) * | 1995-11-03 | 2000-08-15 | Cisco Technology, Inc. | System and method for providing backup machines for implementing multiple IP addresses on multiple ports |
US6725378B1 (en) * | 1998-04-15 | 2004-04-20 | Purdue Research Foundation | Network protection for denial of service attacks |
US7464410B1 (en) * | 2001-08-30 | 2008-12-09 | At&T Corp. | Protection against flooding of a server |
US20070044142A1 (en) * | 2005-08-19 | 2007-02-22 | Yoon Seung Y | Apparatus and method for managing session state |
US20120117646A1 (en) * | 2010-11-04 | 2012-05-10 | Electronics And Telecommunications Research Institute | Transmission control protocol flooding attack prevention method and apparatus |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160134646A1 (en) * | 2014-11-06 | 2016-05-12 | Cisco Technology, Inc. | Method and apparatus for detecting malicious software using handshake information |
US9854000B2 (en) * | 2014-11-06 | 2017-12-26 | Cisco Technology, Inc. | Method and apparatus for detecting malicious software using handshake information |
EP3361693A4 (en) * | 2015-11-24 | 2018-10-31 | Wangsu Science & Technology Co., Ltd. | Tcp connection processing method, device and system |
US10812525B2 (en) * | 2015-12-30 | 2020-10-20 | NSFOCUS Information Technology Co., Ltd. | Method and system for defending distributed denial of service attack |
CN110138678A (en) * | 2018-02-08 | 2019-08-16 | 华为技术有限公司 | Data transfer control method and device and web-transporting device and storage medium |
CN108683678A (en) * | 2018-05-28 | 2018-10-19 | 北京天地和兴科技有限公司 | A kind of abnormal behaviour prediction technique of Behavior-based control cooperative awareness model |
KR102015735B1 (en) * | 2018-12-28 | 2019-08-28 | 주식회사 모파스 | Communication method and apparatus of peer for peer to peer(p2p) handshaking control |
Also Published As
Publication number | Publication date |
---|---|
US8978138B2 (en) | 2015-03-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11924170B2 (en) | Methods and systems for API deception environment and API traffic control and security | |
Mohammadi et al. | Slicots: An sdn-based lightweight countermeasure for tcp syn flooding attacks | |
US8978138B2 (en) | TCP validation via systematic transmission regulation and regeneration | |
Dayal et al. | Research trends in security and DDoS in SDN | |
Qian et al. | Off-path TCP sequence number inference attack-how firewall middleboxes reduce security | |
Handley et al. | Internet denial-of-service considerations | |
US9633202B2 (en) | Managing a DDoS attack | |
US8819821B2 (en) | Proactive test-based differentiation method and system to mitigate low rate DoS attacks | |
US7730536B2 (en) | Security perimeters | |
US8584236B2 (en) | Method and apparatus for detecting abnormal traffic in a network | |
Moustis et al. | Evaluating security controls against HTTP-based DDoS attacks | |
Karig et al. | Remote denial of service attacks and countermeasures | |
KR101042291B1 (en) | System and method for detecting and blocking to distributed denial of service attack | |
Kavisankar et al. | A mitigation model for TCP SYN flooding with IP spoofing | |
Jeyanthi et al. | Packet resonance strategy: a spoof attack detection and prevention mechanism in cloud computing environment | |
US9686311B2 (en) | Interdicting undesired service | |
US20230208874A1 (en) | Systems and methods for suppressing denial of service attacks | |
Devi et al. | Cloud-based DDoS attack detection and defence system using statistical approach | |
Kavisankar et al. | CNoA: Challenging Number Approach for uncovering TCP SYN flooding using SYN spoofing attack | |
US10182071B2 (en) | Probabilistic tracking of host characteristics | |
Bojjagani et al. | Early DDoS Detection and Prevention with Traced-Back Blocking in SDN Environment. | |
US20230396648A1 (en) | Detecting ddos attacks by correlating inbound and outbound network traffic information | |
KR102027440B1 (en) | Apparatus and method for blocking ddos attack | |
Ubale et al. | Survey on DDoS Attack Techniques and Solutions in Software-Defined | |
Guha et al. | ShutUp: End-to-end containment of unwanted traffic |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 8 |